Smartphones, Malware and Payment Systems

by Rich on March 10, 2011

A flurry of Android malware has been in the news lately, including some discussion of a hack which roots the device. That’s as significant as a compromise gets, but it’s not very interesting. Malware has been rooting devices for a long time, and Android, like anything else will have exploitable vulnerabilities.

Much more interesting to me is a trojan app which runs up charges on premium SMS numbers. It’s simple as far as attacks go. The app appears to be a media player, but sends expensive texts in the background. It’s also very clever, as it takes advantage of a payment system that’s not usually seen as an attack target. The credit card industry does a huge amount of work to prevent fraud. Merchants are held to strict security requirements. There are clear mechanisms to dispute charges you didn’t make and clear standards by which disputes are resolved.

Does any of that apply to text messages? Good luck. Phone companies are not known for their customer friendly (or customer transparent) dispute policies.

By targeting a payment system which was light on controls and light on merchant burdens for charge validations, the attackers smoothed their path to a lot of cash. As more types of purchases and more types of payment systems are tied to mobile devices, credit card levels of controls are going to have to come in to play to maintain consumer confidence in mobile payments. Their flexibility makes securing them more difficult than it is to secure credit cards.

For example, if I make a purchase on the app store, I need to enter my iTunes password. That’s a sensible control before allowing a payment. Once I enter my password, though, there’s a grace period where I can go back and buy more apps without reentering it. A clever trojan could watch for app purchases and then launch its own requests during that grace period. I might not know about it until a day or two later when I get an email receipt from Apple, assuming I even read it.

The impending onslaught of NFC capabilities in mobile phones is going to make this worse. If NFC based payments are simple credit card proxies, existing fraud detection mechanisms still come into play. There’s no telling how Apple and Google are going to try to build these markets, though. If your phone is just a proxy for your card, Apple or Google can’t take their cut of your every purchase. We could easily see iPay launched this summer, with your iTunes account debited by a wave of your phone over a retail kiosk. If mobile providers broker the transactions to credit card companies, it changes the fraud detection landscape. If it does, it’s unlikely to be for the better.